Concerned that California lacks a comprehensive strategy to combat cybersecurity threats, two state Assembly committees have summoned state officials to the Capitol to detail efforts to date and ask what else can be done.
The Privacy and Consumer Protection Committee and the Select Committee on Cybersecurity will hold a joint hearing Feb. 24. Among the officials scheduled to testify are State Auditor Elaine Howle, who last August issued a report critical of the state’s preparedness, and Mark Ghilarducci, director of the Governor’s Office of Emergency Services.
“We really need to take this issue seriously,” Assemblymember Jacqui Irwin, D-Thousand Oaks, chair of the Select Committee on Cybersecurity, told Techwire in a telephone interview. “If residents of California really understood how much of their personal information is stored by the state, they would be very concerned.”
The hearing continues last year’s legislative scrutiny on the state’s preparedness to deter cyberattacks, which led to a number of bills enacted in 2015 and an executive order issued by Gov. Jerry Brown.
Security breaches at the Pentagon, the White House, U.S. health-care companies, universities and retailers underscore how vulnerable state governments are to an attack. In her report, the state auditor faulted the California Department of Technology for failing to provide oversight and guidance on safeguarding IT systems, and found just four of the reporting agencies and departments that maintain confidential and sensitive data fully complied with security standards.
Gov. Jerry Brown in August signed an executive order creating the California Cybersecurity Integration Center, saying the state needed to better prepare and respond to destructive cyberattacks.
But questions remain about how Brown’s order will be implemented, funded and exactly how it will benefit California’s infrastructure and law enforcement. And it is not clear who in state government is providing the overall leadership on cybersecurity. Irwin said she hopes the hearing will provide lawmakers with some insight into the administration’s efforts.
Lawmakers also intend to press for more information about mandated IT audits, which they required the Office of Information of Security to begin last year with the passage of Irwin’s AB 670. Her bill requires OES to perform network security assessments of at least 35 state agencies per year, and lawmakers want to know which agencies will get the priority audits.
For example, “what agencies have the most sensitive personal information and which are at the most risk,” said Irwin.
In a statement to Techwire, Ed Chau, chair of the Assembly Committee on Privacy and Consumer Protection, said he also hoped to discuss how “to ensure that sufficient resources are being directed to address identified weaknesses in our networks.”
“This is an issue the Legislature will be vigorously engaged in going forward, because it is critical that we have a coherent long-term cybersecurity strategy for California,” said Chau, D-Monterey Park.
Other officials scheduled to testify include Robert Sumner, special counsel for legislation at the state Attorney General’s office; Capt. Rich Desmond at the California Highway Patrol; Maj. Gen. Matt Beevers, Deputy Adjutant General at the California Military Department; and a Department of Technology representative.
